-
Notifications
You must be signed in to change notification settings - Fork 233
67 lines (64 loc) · 2.55 KB
/
security-scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Security Scans
on:
pull_request:
types: [opened, synchronize, labeled]
jobs:
snyk:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
- name: Run Snyk to check for package vulnerabilities
uses: snyk/actions/python-3.8@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
args: --all-projects --org=rasa --skip-unresolved
trivy:
name: Detecting hardcoded secrets
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
with:
# Fetch all history for all tags and branches
fetch-depth: '0'
- name: Run Trivy vulnerability scanner
id: trivy
uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
continue-on-error: true
with:
format: 'table'
scan-type: 'fs'
exit-code: '1'
security-checks: 'secret'
- name: Alert on secret finding
if: steps.trivy.outcome == 'failure'
uses: slackapi/slack-github-action@936158bbe252e9a6062e793ea4609642c966e302
with:
payload: |
{
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Fail build if a secret is found
if: steps.trivy.outcome == 'failure'
run: |
echo "=========================================================="
echo "| This build has failed because Trivy detected a secret. |"
echo "=========================================================="
echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret."
echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding."
echo "3. If the finding is valid, the security team can help advise your next steps."
exit 1